b'DOE F 1325.8\n(08-93)\nUnited States Government.                                                         Department of Energy\n\n\nMemorandum\n        DATE:    September 28, 2007                              Audit Report No.: OAS-L-07-25\n   REPLY TO\n    ATTN OF:     IG-34 (A07TG028)\n    SUBJECT:     Report on Audit of "Remote Access to the Department\'s Unclassified Information\n                 Systems"\n         TO:    Administrator, National Nuclear Security Administration, NA-1\n                Under Secretary for Science, SC-1\n                Acting Under Secretary of Energy, NE-1\n                Chief Information Officer, IM-1\n\n                INTRODUCTION AND OBJECTIVE\n\n                To help accomplish its strategic goals and mission requirements, the Department of\n                Energy (Department or DOE) utilizes numerous interconnected computer networks\n                and individual systems, including ones accessed remotely. While remote access by\n                authorized individuals can provide numerous advantages such as the capability to\n                perform business-related functions, retrieve electronic mail, and access business\n                applications while out of the office, allowing these capabilities can expose Department\n                systems to an increased level of vulnerability to attack. For example, an authorized\n                user working from his or her home computer system could inadvertently introduce a\n                virus or allow an attacker access to the Department\'s networks and systems if the\n                personally-owned system is not adequately protected.\n\n                In 2002, our report on Remote Access to UnclassifiedInformation Systems (DOE/IG-\n                0568, September 2002) identified that the Department had not adequately considered\n                the risk associated with remote access to unclassified information systems, developed\n                specific guidance for remote access security, or required protective measures such as\n                personal firewalls and virus protection software. Because of the increasingly\n                widespread use and evolving nature of risks regarding remote access, we initiated this\n                audit to follow-up on our prior work and determine whether the Department had\n                adequately secured its information and information systems from unauthorized remote\n                access.\n\n                CONCLUSION AND OBSERVATIONS\n\n                Since our previous report the Department has taken a number of actions to secure its\n                information and information systems from unauthorized remote access. For instance,\n                Department-level policy was issued along with high-level guidance relating to remote\n                access security. The Department has also focused heavily on protecting access to\n                personally identifiable information (PII), which has, in turn, strengthened protections\n                over remote access, such as the implementation of two-factor authentication tools.\n\x0cSimilarly, at the organizations visited, we observed that the actual practices for\nprotecting remote access were generally adequate. However, we found that the actual\npractices noted above were generally ahead of efforts to ensure that the cyber security\ndocumentation was up-to-date and reflected these modernized protective practices.\n\n                     Actions Taken to Secure Information Systems\n\nIn response to our prior report and changes in Federal requirements, the Department\nhas taken a number of positive actions to improve remote access security. For\ninstance, in February 2004, the Department\'s Office of Chief Information Officer\n(OCIO) issued Department of Energy Notice 205.11, which re-emphasized\nrequirements set in Federal law to employ a documented risk-based approach and set\nforth minimum requirements for security of remote access to Department and\ncontractor information systems. The Notice required the program offices to\nimplement these requirements by May 2004.\n\nThe Department next issued Order 205.1A, which defined a Department-wide cyber\nsecurity management program. The Order allows the OCIO to define the technical\nand management requirements (TMRs) to be implemented by each Under Secretary\norganization and requires each Under Secretary to document TMR implementation in\nProgram Cyber Security Plans (PCSPs). The PCSPs serve as the overarching\ndirection to organizations under each Under Secretary\'s purview for implementing\nprogram specific requirements and the requirements of the OCIO\'s TMRs. The sites\nand organizations having responsibilities to each Under Secretary must be able to\ndemonstrate they have implemented requirements as set forth in the corresponding\nPCSP through their own cyber security planning documentation and related activities.\n\nIn January 2007, the OCIO issued a guidance memorandum on remote access that\nrequired senior Department managers to define - in their PCSPs - the policies,\nprocesses, and procedures for allowing remote access to their systems from outside of\nthe systems\' accreditation boundaries. The program offices were asked to incorporate\nthe guidance in their program-level direction by April 19, 2007. Finally, the.OCIO\nissued TMRs covering remote access and the use of external information systems in\nAugust 2007.\n\n                      Updates to Cyber Security Documentation\n\nWhile remote access practices at the organizations visited appeared to be generally\nadequate, the cyber security documentation at both the program and site levels had not\nyet been updated to reflect these efforts. In particular, the PCSPs issued by\nHeadquarters organizations did not always include adequate direction or policies and\nprocedures for allowing remote access to accredited systems. For example, the Office\nof Science\'s PCSP covered remote access at a high level, but did not provide all\nrequired guidance or direction to its program organizations or sites for implementing\nremote access controls. Similarly, the Office of Environmental Management\'s PCSP\ndid not provide the essential guidance or direction to its program organizations or sites\nfor implementing remote access controls.\n\n\n                                    2\n\x0cCertification and accreditation documentation from six Department sites also did not\nspecify requirements for remote access or for updating PII protections. Specifically,\nalthough the necessary management, operational, and technical controls relating to\nremote access appeared to be in place, they were not adequately outlined in the site-\nlevel cyber security program plans. Details describing security-related patching of\noperating system and application software, updates for anti-virus scanners, and\nminimum requirements for configuration on equipment used for remote access were\nalso not included.\n\nSUGGESTED ACTIONS\n\nTo ensure that remote access risks and associated protective measures can be\nadequately evaluated and implemented, we suggest that the Administrator, National\nNuclear Security Administration, Under Secretary for Science, and the Under\nSecretary of Energy, in coordination with the Chief Information Officer, update\nPCSPs and requirements for governing remote access to accredited systems, consistent\nwith the Department\'s technical and management requirements as well as guidance\nfrom the National Institute of Standards and Technology.\n                                /\nSince no formal recommendations are being made in this report, a formal response is\nnot required. We appreciate the-cooperation of your staff during this audit.\n                                    e&$1\n\n                                        Rickey R. Hass\n                                        Assistant Inspector General\n                                          for Financial, Technology, and Corporate Audits\n                                        Office of Audit Services\n                                        Office of Inspector General\n\nAttachment\n\ncc:   Chief of Staff\n      Team Leader, Audit Liaison, CF-1.2\n      Director, Policy and Internal Controls Management, NA-66\n      Audit Liaison, EM-33\n      Audit Liaison, FE-3\n      Audit Liaison, IM-10\n      Audit Liaison, HS-1.23\n      Audit Liaison, SC-32.1\n\n\n\n\n                                    3\n\x0c                                                                              Attachment\n\n                           SCOPE AND METHODOLOGY\n\n\nSCOPE AND METHODOLOGY\n\nFieldwork on the follow-up audit of Remote Access to the Department of Energy\'s\n(Department) Unclassified Information Systems was performed between November\n2006 and August 2007 at several Department locations. To accomplish the audit\nobjective, we:\n\n      *   Reviewed applicable laws, regulations, and guidance pertaining to remote\n          access to information systems. We also reviewed relevant reports issued by\n          the Office of Inspector General and the Government Accountability Office;\n\n      * Reviewed the Government Performanceand Results Act of 1993 and\n        determined if performance measures had been established for remote access;\n                                 /\n      *   Held discussions with Department officials and personnel from the field sites\n          and obtained and reviewed relevant cyber security documentation regarding\n          remote access practices; and,\n\n      * Examined configuration settings and practices for obtaining remote access to\n        the Department\'s networks via selected systems.\n\nThe audit was performed in accordance with generally accepted Government auditing\nstandards for performance audits and included tests of internal controls and\ncompliance with laws and regulations to the extent necessary to satisfy the audit\nobjective. Accordingly, we assessed significant internal controls and performance\nmeasures under the Government Performanceand Results Act of 1993 regarding\nmanagement of remote access services. Because our review was limited, it would not\nnecessarily have disclosed all internal control deficiencies that may have existed at the\ntime of our audit. We did not rely on computer-processed data to accomplish our\naudit objective. We discussed the results of our audit with Department representatives\non September 27, 2007.\n\n\n\n\n                                     4\n\x0c'